Mechanical

How to Look and Feel Like a Complete Idiot

Recently, on a post to a London mailing list, my friend Andy pointed out that someone on a BBC blog had posted a very detailed error message they received. Not having lived in this country for long, the only BBC bloggers I've read have been tech people and I was thus surprised that someone techy would post something which could compromise our security.

I suppose I could have dashed off a nasty email demanding to know what the hell he thought he was doing and didn't he realize he was telling the world that this software was vulnerable to algorithmic complexity attacks?

Fortunately, though frequently an idiot, I'm not frequently an ass, so I merely sent the blogger a polite email asking if he meant for that entry to be public. The poor guy seemed surprised by the question so I felt it was important to point out some of the security implications. As it turns out, he was not technically inclined, so that was a bad assumption on my part, but he was gracious about it and pulled the offending bit from the blog post.

I kept this to myself as I didn't want to get the guy in trouble, but later in the week, I'm sitting in a security meeting and I debated mentioning this. I didn't want some manager going down and giving this guy a thrashing, but this information leak was not only unfortunate, it revealed some rather dodgy details of our gory internals (of a system which has since been upgraded, thank goodness). Prudence won the day and I mentioned the post. One of our bosses asked me to forward the email and so I did, with the following caveat:

Here's the information about the blog post I mentioned. I hadn't said anything before because the individual in question was apparently genuinely surprised that there was a security issue here and I didn't want to get him in trouble.

My boss didn't comment on this, but it was only this weekend that I discovered that the blogger, Eddie Mair, is is one of the most well respected radio presenters in this country.

Hoo boy. Way to make Americans look like either complete morons or arrogant bastards :)

Tags: ,
I listen to Mair on PM a lot -- he's an awesome, insightful presenter, and one of the scariest interviewers I've ever heard. He ruthlessly cuts through any attempt at bullshit or evasion by his interview subjects, who are usually prominent politicians. Great bloke.
Wow. You're not making me feel better :)

By the way, if you're still game, I would still love to head out to Wales to visit you and Bridie!
Heh-heh. :)

I wouldn't be surprised to hear him mention the incident at some point on PM, in the context of what ordinary people can do about computer security, or something. ;)

Yeah, you are always welcome to come and visit -- we'd like that very much.
While you may feel that you boned it up a bit, I think you did the right thing. No matter the individual, the security could have been compromised by their posting and it needed to be brought to their attention.

It seems then, that the next step for the higher ups and the security department is to add this incident to their process memory for teaching security to the masses. This should be something that should never have happened with the proper tutorials to end users.

I have to wonder then also, at what other things might be written about or leaked by end users who just have no clue. This is the ever present worry of the CSO (if they are good at what they do) and the tasty bits that the hackers look for.

You did the right thing...
Many words popped into my head to reply to your post. I think your story can be best summed up in one word, "DOH!"

Edited at 2008-01-28 04:43 pm (UTC)
He posted a detailed error message from an internal application?

Sheesh!

It sounds like the BBC needs to circulate a 'Ethical use of the Internet' type memo...

Last year, an employee at one of our offices downloaded a utility to extract License codes from the Registry. I don't know if he tried to run it, but it was spotted by our anti-virus software and well...
That was the last day he worked in my organisation...

One of our users complained about not having administrative access to 'his' laptop, and said that he knew a trick to get it, so that he could install the app he wanted. (MSN I believe, and we do NOT allow that app.)
I told him, "That's nice," typed his handle into a webform - while he watched - and got his profile, with a list of computers he had been logged into recently(only one laptop). Clicked on the name of 'his' laptop and got the specs. Another few clicks and I had a list of installed applications... "Seems I don't have to get you fired, just yet," I finished...
(I'm a complete and utter bastard... )

In my organisation there's at least 5000 PCs,(spread over at least 150 locations) so we can't afford to 'play around'. A big hack or virus could take ages to fix.


Eddie Mair
(Anonymous)

At last night's Channel 4 Political awards Mr Mair was on a shortlist of 3 for the 'Politics in the Media' award (http://www.channel4.com/news/articles/politics/domestic_politics/channel+4+political+awards+shortlist/1141452). Given that t'other 2 candidates in his category were a magazine and a television programme, you could claim that right now he's not merely "one of" but actually the "most well respected radio presenter in this country"!

(On t'other hand, he didn't win, so I suppose you could dismiss him as not being that respected really!!)

Smylers

Well, probably not. The information had to be said, though I might have been tempted to kick it upstairs (where I doubt anything would have been done).
His well-known radio personality status should not excuse a faux-pas as this one seems to be. If you're a no-body, you get your butt kicked, if you're a celebrity, you're safe and excused. Not ideal. Good for you to stand up and raise the issue without making him look like a complete idiot. You're so diplomatic (-: